Currencies

How Hackers Set Up Illegal Mines for Virtual Currencies

How do hackers make money? It’s one thing to find a flaw in a software or hardware system that gives you a way to control a computer. Fine, now what do you do?

Increasingly, you turn those hijacked systems into a mining operation for digital currency, according to cybersecurity researchers at Dell SecureWorks.

SecureWorks recently tracked a case they say is the single most profitable such illegitimate mining operation uncovered so far.

Last year a researcher in Luxembourg disclosed a vulnerability in devices made by the Taiwanese company Synology. Synology sells what’s called network-attached storage, essentially file servers that are simple to plug into a home or small-business network and make storage and sharing easy—too easy, it turns out.

The operating system allowed access to the device from the Internet, without a login or password, opening the door for attackers to take control. A Google (GOOG) search in October showed the Internet addresses of more than 1 million of the machines, according to the SecureWorks researchers—each a path to a system that could be remotely commanded.

Synology put out patches. As is pretty much always true, a lot of people weren’t paying attention and didn’t update their systems. By February, users were complaining about how slowly their machines were working, and discovered a folder labeled “PWNED” on their units. (Pwned is hacker slang for “owning,” or controlling, someone else’s computer or system.)

A hacker had exploited security flaws to put software onto Synology devices that directed them to “mine” a digital currency called Dogecoin. Mining digital currency involves using computers to run calculations that tally up and certify the transactions made in that currency, with the reward of new coins.

Synology addressed the attack, without getting into the mining part, in a press release on Feb. 14 that told customers how to fix it. The latest operating system doesn’t have the flaw and allows for automated patching so customers don’t have download fixes themselves, says Thadd Weil, a U.S.-based spokesman for the company.

The SecureWorks researchers say the hacker in this case is likely of German descent and goes by the handle Foilo, based on a name found in the mining software and searches on coding sites including Github.

By analyzing the commands the software issued to its enslaved devices, which sent the mined Dogecoins to two online “wallets,” and the transactions related to those accounts, the SecureWorks researchers tallied the hacker’s proceeds. Foilo mined more than 500 million Doge, mostly in January and February. The haul was worth about $620,496, the researchers estimate, calculated based on the conversion rate on the days the hacker moved the coins out of the online wallets.

“As cryptocurrencies continue to gain momentum, their popularity as a target for various malware will continue to rise,” the SecureWorks report said.